Seagate Employee Tax Forms Stolen in Phishing Attack

The W-2 tax documents of several thousand current and former employees of data storage company Seagate ended up in the hands of fraudsters after an employee fell victim to a phishing attack.

Seagate confirmed to SecurityWeek that the 2015 W-2 tax form information for current and former employees based in the United States was sent to an “unauthorized party” in response to a phishing scam. The company noted that only tax information for the year 2015 was exposed in the breach that came to light on March 1.

“The information was sent by an employee who believed the phishing email was a legitimate internal company request. When we learned of the incident, we immediately notified the IRS which is now actively investigating it along with federal law enforcement,” Seagate spokesman Eric DeRitis said in an emailed statement. “At this point we have no information to suggest that employee data has been misused, but caution and vigilance are in order. We deeply regret this mistake and we offer our sincerest apologies to everyone affected.”

DeRitis said the exact number of affected employees has only been shared with the IRS and federal authorities. “It's accurate to say several thousand, but it is less than 10,000 by a decent amount,” he told SecurityWeek.

The incident was first reported by security blogger Brian Krebs who learned about the incident from a former Seagate employee.

Seagate claims it’s in the process of making changes to prevent future incidents. In the meantime, the company will cover the costs of a two-year Experian ProtectMyID membership for affected employees.

W-2 forms, which show the amount of taxes withheld from an employee’s paycheck, are used to file federal and state taxes. These documents include social security numbers and other personal details, which can be leveraged by malicious actors to file fraudulent tax returns with the IRS.

It’s not uncommon for such information to be abused by fraudsters. The tax agency reported last month that cybercrooks had used stolen SSNs to generate over 100,000 PINs on the IRS’s Electronic Filing PIN application.

SSNs and other information was also used last year to target the IRS’s “Get Transcript” application. The agency revealed last week that the incident affected more than 700,000 taxpayers.

Business email compromise (BEC) scams, such as the one targeted at Seagate, are also increasingly common. Aircraft parts manufacturer FACC AG revealed in January that cybercriminals managed to steal $54 million in a scheme targeting the company’s finance department.

“Phishing scams are increasingly more sophisticated and convincing, and today’s news is a great example of how difficult it can be to avoid such targeted schemes. In this case, it appears that electronic digital rights management could have helped maintain data privacy," Scott Gordon, COO of file security company FinalCode, told SecurityWeek. “Using the proper controls for data access and encryption would ensure that the file owner – in this case Seagate –maintains control of the data, even after it was mistakenly sent. Certainly, the capability to remotely delete the files after they were sent would have been very useful too.”

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.